Russian APT attackers have used an advanced type of backdoor which tries to avoid detection by adding layers of obfuscation and mimicking the behavior of legitimate users.
The attackers used popular legitimate websites such as Twitter, Github and other compromised web servers to send instructions and steal data from the compromised machines, according to a APT report published by the security firm FireEye.
The attackers post instructions for their backdoors in a tweet, which contains a URL and a hashtag. The malware will download contents hosted in the specific URL including all images in the page.
They hide the data and other instructions within an Image file using a technology called Steganography.
The Hashtag contains a number representing a location within the image file and a few characters that should be appended to the decryption key. The key will be used for retrieving the data stored in the image.
The instructions also contains where to upload the stolen data – It uploads to a specific account on a cloud storage service using the login credentials.
APT 29 is suspected to be in Russia since it is active during normal working hours in Moscow.